Transcript

Cybersecurity Challenges

Protecting DoD’s Unclassified Information

Implementing DFARS Clause 252.204-7012, Safeguarding Covered

Defense Information and Cyber Incident Reporting

October 2018

Unclassified 1

Unclassified 2

Outline

• Protecting DoD’s Unclassified Information on the

Contractor’s Internal Information System

• DFARS Clause 252.204-7012, Safeguarding Covered

Defense Information and Cyber Incident Reporting

– Implementation and Guidance

• Resources

Cyber attacks cost companies

$400 billion every year

Inga Beale, CEO, Lloyds

Cybersecurity Landscape

Cybercrime will cost businesses

over $2 trillion by 2019

Juniper Research

Cyber threats targeting government unclassified information have dramatically increased

Cybersecurity incidents have

surged 38% since 2014

The Global State of Information Security ®

Survey 2016

In a study of 200 corporate directors, 80% said that cyber security is discussed at

most or all board meetings. However, two-thirds of CIOs and CISOs say senior

leaders in their organization don’t view cyber security as a strategic priority.

NYSE Governance Services and security vendor Veracode

Impacts of successful attacks

included downtime (46%), loss of

revenue (28%), reputational damage

(26%), and loss of customers (22%)

AT&T Cybersecurity Insights Vol. 4

61% of breach victims are businesses

with <1,000 employees

80% of breaches leverage stolen,

weak, and/or guessable passwords

2017 Data Breach Investigations Report, Verizon

Unclassified 3

DoD has a range of activities that include both regulatory and voluntary

programs to improve the collective cybersecurity of the nation and

protect U.S. interests:

• Securing DoD’s information systems and networks

• Codifying cybersecurity responsibilities and procedures for the

acquisition workforce in defense acquisition policy

– Contractual requirements implemented through the Federal

Acquisition Regulation (FAR) and Defense FAR Supplement

(DFARS)

• DoD’s DIB Cybersecurity Program for voluntary cyber threat

information sharing

• Leveraging security standards such as those identified in National

Institute of Standards and Technology (NIST) Special Publication

800-171 “Protecting Controlled Unclassified Information in Nonfederal

Systems and Organizations” (Revision 1 published Dec 2016)

What DoD Is Doing

Unclassified 4

Unclassified 5

• Overview

• Covered Defense Information

• Subcontractor Flowdown

• Adequate Security

• Cloud Environment

• Implementation and Compliance

DFARS Clause 252.204-7012, Safeguarding Covered

Defense Information and Cyber Incident Reporting

Unclassified 6

Protecting the DoD’s Unclassified Information See FAQ 32

Security requirementsfrom CNSSI 1253, based on NIST SP 800-53, apply

DFARS Clause 252.204-7012, and/or FAR Clause 52.204-21, and security requirements from NIST SP 800-171 apply

When cloud services are used to process data on the DoD's behalf, DFARS Clause 252.239-7010 and DoD Cloud Computing SRG apply

DoD Owned and/or

Operated Information System

System Operated on Behalf of the DoD

Contractor’s Internal System

Controlled Unclassified Information

FederalContract

Information

Covered Defense Information

(includes Unclassified Controlled Technical Information)

ControlledUnclassified Information

(USG-wide)

Cloud Service Provider

External CSPEquivalent

to FedRAMPModerate

CSP

Internal CloudNIST SP 800-171

DoD Information System

CSP

When cloud services are provided by DoD, the DoD Cloud Computing SRG applies

Cloud Service Provider

Controlled Unclassified Information

Unclassified 7

DFARS Clause 252.204-7012, Safeguarding Covered

Defense Information and Cyber Incident Reporting

Nov 18, 2013

(Final Rule)

Aug 26, 2015 / Dec 30, 2015

(Interim Rules)

October 21, 2016

(Final Rule)

Scope – What

Information

• Unclassified Controlled

Technical Information

• Covered Defense Information

• Operationally Critical

Support

• Revised/clarified

definition for covered

defense information

Adequate Security

- Minimum Protections

• Selected controls in

NIST SP 800-53

• Aug 2015

NIST SP 800-171 (June 2015)

• NIST SP 800-171

(currently Revision 1,

published Dec 2016)

Deadline for

Adequate Security

• Contract Award • Dec 2015 – As soon as

practical, but NLT 31 Dec 17

• As soon as practical,

but NLT 31 Dec 2017

Subcontractor/

Flowdown

• Include the substance

of the clause in all

subcontracts

• Include in subcontracts

for operationally critical

support, or when involving

covered contractor

information system

• Contractor to determine

if information required

for subcontractor

performance retains

identity as CDI

When Contractors are faced with implementing multiple versions of the clause, Contracting Officers may work with Contractors, upon mutual agreement,

to implement the latest version of the clause

DFARS Clause 252.204-7012, Safeguarding Covered

Defense Information and Cyber Incident Reporting

DFARS Clause 252.204-7012 requires contractors/subcontractors to:

1. Provide adequate security to safeguard covered defense information that resides on or is transiting through a contractor’s internal information system or network

2. Report cyber incidents that affect a covered contractor information system or the covered defense information residing therein, or that affect the contractor’s ability to perform requirements designated as operationally critical support

3. Submit malicious software discovered and isolated in connection with a reported cyber incident to the DoD Cyber Crime Center

4. If requested, submit media and additional information to support damage assessment

5. Flow down the clause in subcontracts for operationally critical support, or for which subcontract performance will involve covered defense information

Unclassified 8

Covered Defense Information

Covered Defense Information Term used to identify information that requires protection under DFARS Clause 252.204-7012

• Unclassified controlled technical information (CTI) or other information, as described in the CUI Registry,1 that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government wide policies and is −

1) Marked or otherwise identified in the contract, task order, or delivery order and provided to contractor by or on behalf of, DoD in support of the performance of the contract; OR

2) Collected, developed, received, transmitted, used, or stored by, or on behalf of, the contractor in support of the performance of the contract2

2 “In support of the performance of the contract” is not meant to include the contractor’s internal

information (e.g., human resource or financial) that is incidental to contract performance

1 Referenced only to point to information that requires safeguarding or dissemination

controls pursuant to and consistent with law, regulations, government-wide policies

See FAQs 19 - 30

Unclassified 9

Government/Requiring Activity is required to:

• Use DoDM 5200.01 Vol 4, DoD Information Security Program: CUI and DoDI 5230.24, Distribution Statements on Technical Documents to identify and mark covered defense information

• Use Section C, e.g., Statement of Work, of the contract to require development and delivery of covered defense information from the contractor

• Direct appropriate marking and dissemination for covered defense information in the contract (e.g., Block 9 of Contract Data Requirements List (CDRL) DD Form 1423). Additional markings (e.g., Export Control) can be placed in Block 16.

• Verify that covered defense information is appropriately marked when provided to the contractor as Government Furnished Information

The contractor is responsible for:

• Following the terms of the contract, which includes the requirements in the Statement of Work

Identification and Marking of Covered Defense Information

Unclassified 10

DoDI 5230.24 – Distribution Statements on

Technical Documents

Distribution authorized to DoD only; Proprietary Information; 15 Apr 2017. Other requests for this document shall be referred to AFRL/VSSE, 3550 Aberdeen Ave. SE, Kirtland AFB, NM 87117-5776. REL TO UK

* Distro A: Public Release –

NO Dissemination limitation

Reason Date Controlling Org

Distribution A: Public Release*Distribution B: U.S. Govt OnlyDistribution C: U.S. Govt & ContractorsDistribution D: DoD & US DoD ContractorsDistribution E: DoD onlyDistribution F: Further dissemination only as directed by controlling office

Administrative or Operational UseContractor Performance EvaluationCritical TechnologyDirect Military SupportExport Controlled Foreign Government InformationOperations SecurityPremature DisseminationProprietary InformationSoftware DocumentationSpecific AuthorityTest and EvaluationVulnerability Information

Dissemination Limitation

Note: Controlling Org can be different than the Authoring Org

Note: Reason Determination Date

Example of Marking for Export Control Warning (Also requires separate distribution statement)

Example of Marking for Distribution Statement E

WARNING - This document contains technical data whose export is restricted by the Arms Export Control Act (Title 22, U.S.C., Sec 2751, et seq.) or the Export Administration Act of 1979 (Title 50, U.S.C., App. 2401 et seq.), as amended. Violations of these export laws are subject to severe criminal penalties. Disseminate in accordance with provisions of DoD Directive 5230.25.

Unclassified 11

Unclassified 12

Subcontractor Flowdown

When should DFARS Clause 252.204-7012 flow down to subcontractors?

• The clause is required to flow down to subcontractors only when performance will involve operationally critical support or covered defense information

• The contractor shall determine if the information required for subcontractor performance is, or retains its identify as, covered defense information and requires safeguarding

• Flowdown is a requirement of the terms of the contract with the Government, which must be enforced by the prime contractor as a result of compliance with these terms

− If a subcontractor does not agree to comply with the terms of DFARS Clause 252.204–7012, then covered defense information shall not be shared with the subcontractor or otherwise reside on it’s information system

The Department’s emphasis is on the deliberate management of information requiring protection. Prime contractors should minimize the flowdown of information requiring protection.

Unclassified 13

Adequate Security for Covered Defense Information

To provide adequate security to safeguard covered defense information:

DFARS 252.204-7012 (b) Adequate Security. … the contractor shall implement,

at a minimum, the following information security protections:

***

(b)(2)(ii)(A): The contractor shall implement NIST SP 800-171, Protecting

CUI in Nonfederal Systems and Organizations, as soon as practical, but not

later than December 31, 2017

***

(b)(3): Apply other information systems security measures when the Contractor

reasonably determines that information systems security measures, in addition

to those identified in paragraphs (b)(1) and (2) of this clause, may be required

DFARS 252.204-7012 directs how the contractor shall protect covered defense information;

The requirement to protect it is based in law, regulation, or Government wide policy.

Unclassified 14

Implementing NIST SP 800-171 Security Requirements

Most requirements in NIST SP 800-171 are about policy, process, and configuring

IT securely, but some may require security-related software or hardware. For

companies new to the requirements, a reasonable approach would be to:

1. Examine each of the requirements to determine

— Policy or process requirements

— Policy/process requirements that require an implementation in IT

(typically by either configuring the IT in a certain way or through use of

specific software)

— IT configuration requirements

— Any additional software or hardware required

The complexity of the company IT system may determine whether additional

software or tools are required

2. Determine which requirements can readily be accomplished by in-house IT

personnel and which require additional research or assistance

3. Develop a plan of action and milestones to implement the requirements

Approach to Implementing NIST SP 800-171 Requirements

AC AT AU CM IA IR MA MP PS PE RA CA SC SI

3.1.1 3.2.1 3.3.1 3.4.1 3.5.1 3.6.1 3.7.1 3.8.1 3.9.1 3.10.1 3.11.1 3.12.1 3.13.1 3.14.1

3.1.2 3.2.2 3.3.2 3.4.2 3.5.2 3.6.2 3.7.2 3.8.2 3.9.2 3.10.2 3.11.2 3.12.2 3.13.2 3.14.2

3.8.3 3.11.3 3.12.3 3.14.3

(3.12.4)

3.1.3 3.2.3 3.3.3 3.4.3 3.5.3 3.6.3 3.7.3 3.8.4 3.10.3 3.13.3 3.14.4

3.1.4 3.3.4 3.4.4 3.5.4 3.7.4 3.8.5 3.10.4 3.13.4 3.14.5

3.1.5 3.3.5 3.4.5 3.5.5 3.7.5 3.8.6 3.10.5 3.13.5 3.14.6

3.1.6 3.3.6 3.4.6 3.5.6 3.7.6 3.8.7 3.10.6 3.13.6 3.14.7

3.1.7 3.3.7 3.4.7 3.5.7 3.8.8 3.13.7

3.1.8 3.3.8 3.4.8 3.5.8 3.8.9 3.13.8

3.1.9 3.3.9 3.4.9 3.5.9 3.13.9

3.1.10 3.5.10 3.13.10

3.1.11 3.5.11 3.13.11

3.1.12 3.13.12

3.1.13 3.13.13

3.1.14 3.13.14

3.1.15 Policy/Process Policy or Software Requirement 3.13.15

3.1.16 3.13.16

3.1.17 Configuration Configuration or Software

3.1.18

3.1.19 Software Configuration or Software or Hardware3.1.20

3.1.21 Hardware Software or Hardware3.1.22

Basic

(FIPS 200)

Derived

(800-53)

Unclassified 15

Demonstrating Implementation of NIST SP 800-171

— System Security Plan and Plans of Action

• To document implementation of NIST SP 800-171, companies should have a system security plan in place, in addition to any associated plans of action:

Security Requirement 3.12.4 (System Security Plan): Requires the contractor to develop, document, and periodically update, system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems

Security Requirement 3.12.2 (Plans of Action): Requires the contractor to develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in their systems, and to describe how and when any unimplemented security requirements will be met

Unclassified 16

Unclassified 17

Alternative but Equally Effective

Security Measures

• Per DFARS Clause 252.205-7012(b)(2)(ii)(B), if the offeror proposes to vary from NIST SP 800-171, the Offeror shall submit to the Contracting Officer, for consideration by the DoD CIO, a written explanation of -

- Why security requirement is not applicable; OR

- How an alternative but equally effective security measure is used to achieve equivalent protection

• When DoD CIO receives a request from a contracting officer, representatives in DoD CIO review the request to determine if the proposed alternative satisfies the security requirement, or if the requirement for non-applicability is acceptable

- The assessment is documented and provided to the contracting officer, generally within 5 working days

- If request is favorably adjudicated, the assessment should be included in the contractor’s system security plan

See FAQ 59 - 62

Unclassified 18

Cyber Incident Reporting

What is a cyber incident?

A “Cyber incident” is an action(s) taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.

“Compromise” means disclosure of information to unauthorized persons, or a violation of the security policy of a system, in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object, or the copying of information to unauthorized media may have occurred.

DFARS 204.7302 (d)

A cyber incident that is reported by a contractor or subcontractor shall not, by itself, be interpreted as evidence that the contractor or subcontractor has failed to provide adequate security on their covered contractor information systems, or has otherwise failed to meet the requirements of the clause at 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.

Unclassified 19

Cyber Incident Reporting

When a cyber incident occurs, the contractor/subcontractor shall:

• Review contractor network(s) for evidence of compromise of covered defense information using contractor’s available tools, including, but not limited to, identifying compromised computers, servers, specific data, and user accounts

• Identify covered defense information that may have been affected in the cyber incident

• If contract contains requirement for operationally critical support, determine if the incident affects the contractor’s ability to provide operationally critical support

• Rapidly report (within 72 hours of the discovery of an incident) directly to DoD

Subcontractors provide the incident report number, automatically assigned by DoD, to the prime Contractor (or next higher-tier subcontractor) as soon as practicable

DFARS Clause 252.204-7012(c)(1)

Unclassified 20

Cyber Incident Reporting

When reporting a cyber incident, contractors/subcontractors submit

to DoD—

• A cyber incident report via https://dibnet.dod.mil/

• Malicious software if detected and isolated

• Media or access to covered contractor information systems and equipment when

requested by the requiring activity/contracting officer

Upon receipt of a cyber incident report —

• The DoD Cyber Crime Center (DC3) sends the report to the contracting officer(s)

identified on the Incident Collection Format (ICF) via encrypted email; the

contracting officer(s) provide the ICF to the requiring activity(ies)

• DC3 analyzes the report to identify cyber threat vectors and adversary trends

• DC3 contacts the reporting company if the report is incomplete (e.g., no contract

numbers, no contracting officer listed)

Unclassified 21

Cyber Incident Reporting

Company name and point of contact information Date incident discovered

Data Universal Numbering System (DUNS) Number Incident/Compromise narrative

Contract number(s) or other type of agreement affected or potentially affected

Type of compromise (unauthorized access, unauthorized release, unknown, not applicable)

Contact or other type of agreement clearance level Description of technique or method used in cyber incident

Contracting Officer or other agreement contact

USG Program Manager point of contact (address, position, telephone, email)

Incident outcome (successful compromise, failed attempt, unknown)

Facility Clearance Level (Unclassified, Confidential, Secret, Top Secret, Not applicable)

Impact to Covered Defense Information

Facility CAGE code Impact on ability to provide operationally critical support

Incident location CAGE code DoD programs, platforms or systems involved

Location(s) of compromise Any additional information relevant to incident

The cyber incident report – contractors shall report as much of the following information as can be obtained within 72 hours of discovery of a cyber incident:

OMB Information Collection # 0704_0489, expiration 10/31/2019

Unclassified 22

DIB CS Web Portal

Access beyond this page requires a DoD-approved medium assurance

certificate. For more information please visit the ECA website.

https://www.DIBNet.dod.mil

Unclassified 23

Cyber Incident Damage Assessment Activities

Purpose of the cyber incident damage assessment —

• Determine impact of compromised information on U.S. military capability underpinned by the technology

• Consider how the compromised information may enable an adversary to counter, defeat, or reverse engineer U.S. capabilities

• Focus on the compromised intellectual property impacted by the cyber incident not on the compromise mechanism

DoD decision to conduct a cyber incident damage assessment —

• Contracting officer verifies clause is included in the contract

• The Requiring Activity and the DoD Component damage assessment office (DAMO) will determine if a cyber incident damage assessment is warranted

• Decision to request media must be made within 90 days of the cyber incident report

Unclassified 24

Cloud Computing

Safeguarding Covered Defense Information and Cyber Incident Reporting 48 CFR Parts 202, 204, 212, and 252, DFARS Clause 252.204-7012

• Applies when a contractor uses an external cloud service provider to store, process, or transmit Covered Defense Information on the contractor’s behalf

• Ensures that the cloud service provider:

— Meets requirements equivalent to those established for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline

— Complies with requirements for cyber incident reporting and damage assessment

Cloud Computing Services 48 CFR Parts 239 and 252, DFARS Clause 252.239-7010

• Applies when a cloud solution is being used to process data on the DoD's behalf or DoD is contracting with Cloud Service Provider to host/process data in a cloud

• Requires the cloud service provider to:

— Comply with the DoD Cloud Computing Security Requirements Guide

— Comply with requirements for cyber incident reporting and damage assessment

Unclassified 25

DFARS Clause 252.204-7012, Safeguarding Covered

Defense Information and Cyber Incident Reporting

Compliance

• Compliance with DFARS Clause 252.204-7012

• Demonstrating Implementation of the Security Requirements in NIST SP 800-171

• Considering a Contractor’s Internal Information System in Source Selection

Contractor Compliance — Implementation of

DFARS Clause 252.204-7012

• By signing the contract, the contractor agrees to comply with the terms of the contract and all requirements of the DFARS Clause 252.204-7012

• It is the contractor’s responsibility to determine whether it is has implemented the NIST SP 800-171 (as well as any other security measures necessary to provide adequate security for covered defense information)

DoD will not certify that a contractor is compliant with the NIST SP 800-171 security requirements

Third party assessments or certifications of compliance are not required, authorized, or recognized by DoD

• Per NIST SP 800-171, federal agencies may consider the submitted system security plan and plans of action as critical inputs to an overall risk management decision to process, store, or transmit CUI on a nonfederal organization

Unclassified 26

Assessing Compliance of a Contractor’s

Internal Unclassified Information System

Unclassified 27

OBJECTIVE SOLICITATION SOURCE SELECTION CONTRACT

Pre-Award (Solicitation and Source Selection)

1. Contractor ‘self-attests’ to compliance with DFARS 252.204-7012 (Status Quo)2. Require enhanced cybersecurity measures in addition to NIST SP 800-171 3. Establish measures to assess/affirm contractor compliance with cybersecurity

requirementsa. ‘Go/No Go’ evaluation criteria/thresholdb. Compliance as a separate technical evaluation factorc. On-site government assessment of Contractor’s internal unclassified information

systemd. Request Contractor’s plan to track flow down of information requiring protection and

assess suppliers

Post-Award

e. Assess/track Contractor’s system security plan and associated plans of action f. On-site government assessment of Contractor’s internal unclassified information

system 4. Government/Contractor identification of information requiring protection

Defense Contract Management Agency (DCMA)

Oversight of DFARS Clause 252.204-7012

Actions DCMA will take in response to DFARS Clause 252.204-7012:

• Encourage industry to adopt corporate, segment, or facility-level system security plans as may be appropriate in order to ensure more consistent implementations and to reduce costs

• Verify that system security plans and any associated plans of action are in place (DCMA will not assess plans against the NIST 800-171 requirements)

• If potential cybersecurity issue is detected –notify contractor, DoD program office, and DoD CIO

• During the normal Contract Receipt and Review process -verify that DFARS Clause 252.204-7012 is flowed down to sub-contractors/suppliers as appropriate

• For contracts awarded before October 2017 -verify that contractor submitted to DoD CIO notification of security requirements not yet implemented

• Verify contractor possesses DoD-approved medium assurance certificate to report cyber incidents

• When required, facilitate entry of government assessment team into contractor facilities via coordination with cognizant government and contractor stakeholders

Unclassified 28

Resources —

Frequently Asked Questions (FAQs)

Quick Look for FAQ Topics

Safeguarding Covered Defense Information and Cyber Incident Reporting (DFARS 252.204-7008 and 252.204-7012)

GeneralQ1 Q18

Covered Defense InformationQ19 Q30

Operationally Critical SupportQ31

Safeguarding Covered Defense InformationQ32 Q34

Cyber Incidents and ReportingQ35 Q45

Submission of Malicious SoftwareQ46

Cyber Incident Damage AssessmentQ47

NIST SP 800-171

General Implementation IssuesQ49 Q67

Specific Security RequirementsQ68 Q98

Cloud Computing

GeneralQ99 101

Cloud solution being used to store data on DoD’s behalf (DFARS 252.239-7009 and 252.204-7010, Cloud Computing Services) Q102

Contractor using cloud solution to store covered defense information (DFARS 252.204-7008 and 252.204-7012 apply)Q103 Q109

Basic Safeguarding of Contractor Information Systems (FAR Clause 52.204.21)

Q48

Limitations on the use or disclosure of third-party contractor reported cyber incident information (DFARS Clause 252.204-7009)

Q47

Unclassified 29

Resources

• NIST Manufacturing Extension Partnership (MEP) Public-private partnership with Centers in all 50 states and Puerto Rico

dedicated to serving small and medium-sized manufacturers Published “Cybersecurity Self-Assessment Workbook for Assessing

NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements”, November 2017

https://nvlpubs.nist.gov/nistpubs/hb/2017/NIST.HB.162.pdf

• Procurement Technical Assistance Program (PTAP) and Procurement TechnicalAssistance Centers (PTACs)

Nationwide network of centers/counselors experienced in government contracting, many of which are affiliated with Small Business Development Centers and other small business programs

http://www.dla.mil/HQ/SmallBusiness/PTAP.aspx

• Cybersecurity Evaluation Tool (CSET) No-cost application, developed by DHS, provides step-by-step process to

evaluate information technology network security practices https://ics-cert.us-cert.gov/Downloading-and-Installing-CSET

Unclassified 30

Resources

• Cybersecurity in DoD Acquisition Regulations page at (http://dodprocurementtoolbox.com/)for Related Regulations, Policy, Frequently Asked Questions, and Resources, June 26, 2017

• DPAP Website (http://www.acq.osd.mil/dpap/dars/dfarspgi/current/index.html)for DFARS, Procedures, Guidance and Information (PGI), and Frequently Asked Questions

• NIST SP 800-171, Revision 1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r1.pdf)

• NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171a.pdf)

• DoDI 5230.24, Distribution Statements on Technical Documents(www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/523024p.pdf)

• Cloud Computing Security Requirements Guide (SRG) (http://iasecontent.disa.mil/cloud/SRG/)

• DoD’s Defense Industrial Base Cybersecurity program (DIB CS Program)(https://dibnet.dod.mil)

Questions? Submit via email at [email protected]

Unclassified 31


Top Related